maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

prefer sha256 (the old-way) over sha1 mixup for two different ftpds

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2022-10-30 14:22:25 +01:00
parent 1f43f5d514
commit 5aa059bb24
11 changed files with 26 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
install/froxlor.sql.php
View File

@@ -43,7 +43,6 @@ CREATE TABLE `ftp_users` (
`uid` int(5) NOT NULL default '0', `uid` int(5) NOT NULL default '0',
`gid` int(5) NOT NULL default '0', `gid` int(5) NOT NULL default '0',
`password` varchar(255) NOT NULL, `password` varchar(255) NOT NULL,
`password_compat` varchar(255) NOT NULL,
`homedir` varchar(255) NOT NULL default '', `homedir` varchar(255) NOT NULL default '',
`shell` varchar(255) NOT NULL default '/bin/false', `shell` varchar(255) NOT NULL default '/bin/false',
`login_enabled` enum('N','Y') NOT NULL default 'N', `login_enabled` enum('N','Y') NOT NULL default 'N',

3
install/updates/froxlor/update_2.x.inc.php
View File

@@ -70,9 +70,6 @@ if (Froxlor::isFroxlorVersion('0.10.38')) {
Database::query("ALTER TABLE `" . TABLE_PANEL_CUSTOMERS . "` ADD `allowed_mysqlserver` varchar(500) NOT NULL default '[0]';"); Database::query("ALTER TABLE `" . TABLE_PANEL_CUSTOMERS . "` ADD `allowed_mysqlserver` varchar(500) NOT NULL default '[0]';");
// ftp_users adjustments // ftp_users adjustments
Database::query("ALTER TABLE `" . TABLE_FTP_USERS . "` CHANGE `password` varchar(255) NOT NULL default '';"); Database::query("ALTER TABLE `" . TABLE_FTP_USERS . "` CHANGE `password` varchar(255) NOT NULL default '';");
Database::query("ALTER TABLE `" . TABLE_FTP_USERS . "` ADD `password_compat` varchar(255) NOT NULL default '' AFTER `password`;");
// update existing entries
Database::query("UPDATE `" . TABLE_FTP_USERS . "` SET `password_compat` = `password`;");
// mail_users adjustments // mail_users adjustments
Database::query("ALTER TABLE `" . TABLE_MAIL_USERS . "` CHANGE `password` varchar(255) NOT NULL default '';"); Database::query("ALTER TABLE `" . TABLE_MAIL_USERS . "` CHANGE `password` varchar(255) NOT NULL default '';");
Database::query("ALTER TABLE `" . TABLE_MAIL_USERS . "` CHANGE `password_enc` varchar(255) NOT NULL default '';"); Database::query("ALTER TABLE `" . TABLE_MAIL_USERS . "` CHANGE `password_enc` varchar(255) NOT NULL default '';");

7
lib/Froxlor/Api/Commands/Ftps.php
View File

@@ -173,17 +173,15 @@ class Ftps extends ApiCommand implements ResourceEntity
} else { } else {
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path); $path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path);
$cryptPassword = Crypt::makeCryptPassword($password, false, true); $cryptPassword = Crypt::makeCryptPassword($password, false, true);
$cryptPasswordCompat = Crypt::makeCryptPassword($password, true, true);
$stmt = Database::prepare("INSERT INTO `" . TABLE_FTP_USERS . "` $stmt = Database::prepare("INSERT INTO `" . TABLE_FTP_USERS . "`
(`customerid`, `username`, `description`, `password`, `password_compat`, `homedir`, `login_enabled`, `uid`, `gid`, `shell`) (`customerid`, `username`, `description`, `password`, `homedir`, `login_enabled`, `uid`, `gid`, `shell`)
VALUES (:customerid, :username, :description, :password, :passwordc, :homedir, 'y', :guid, :guid, :shell)"); VALUES (:customerid, :username, :description, :password, :passwordc, :homedir, 'y', :guid, :guid, :shell)");
$params = [ $params = [
"customerid" => $customer['customerid'], "customerid" => $customer['customerid'],
"username" => $username, "username" => $username,
"description" => $description, "description" => $description,
"password" => $cryptPassword, "password" => $cryptPassword,
"passwordc" => $cryptPasswordCompat,
"homedir" => $path, "homedir" => $path,
"guid" => $customer['guid'], "guid" => $customer['guid'],
"shell" => $shell "shell" => $shell
@@ -444,10 +442,9 @@ class Ftps extends ApiCommand implements ResourceEntity
Response::standardError('passwordshouldnotbeusername', '', true); Response::standardError('passwordshouldnotbeusername', '', true);
} }
$cryptPassword = Crypt::makeCryptPassword($password, false, true); $cryptPassword = Crypt::makeCryptPassword($password, false, true);
$cryptPasswordCompat = Crypt::makeCryptPassword($password, true, true);
$stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "` $stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "`
SET `password` = :password, `password_compat` = :passwordc SET `password` = :password
WHERE `customerid` = :customerid WHERE `customerid` = :customerid
AND `id` = :id AND `id` = :id
"); ");

29
lib/Froxlor/System/Crypt.php
View File

@@ -35,8 +35,13 @@ class Crypt
/** /**
* Generates a random password * Generates a random password
*
* @param int $length optional, will be read from settings if not given
* @param bool $isSalt optional, default false, do not include special characters
*
* @return string
*/ */
public static function generatePassword(int $length = 0) public static function generatePassword(int $length = 0, bool $isSalt = false)
{ {
$alpha_lower = 'abcdefghijklmnopqrstuvwxyz'; $alpha_lower = 'abcdefghijklmnopqrstuvwxyz';
$alpha_upper = strtoupper($alpha_lower); $alpha_upper = strtoupper($alpha_lower);
@@ -57,7 +62,7 @@ class Crypt
$pw .= mb_substr(self::specialShuffle($numeric), 0, $n); $pw .= mb_substr(self::specialShuffle($numeric), 0, $n);
} }
if (Settings::Get('panel.password_special_char_required')) { if (Settings::Get('panel.password_special_char_required') && !$isSalt) {
$pw .= mb_substr(self::specialShuffle($special), 0, $n); $pw .= mb_substr(self::specialShuffle($special), 0, $n);
} }
@@ -207,21 +212,21 @@ class Crypt
* @param string $password * @param string $password
* Password to be encrypted * Password to be encrypted
* @param bool $htpasswd * @param bool $htpasswd
* optional whether to generate a SHA1 password for directory protection, if this and $openssl is set, outputs sha1-hash * optional whether to generate a SHA1 password for directory protection
* @param bool $openssl * @param bool $ftpd
* optional generates $htpasswd like strings but for proftpd {algo}base64encoded_hash, if this and $htpasswd is set, outputs sha1-hash * optional generates sha256 password strings for proftpd/pureftpd
* *
* @return string encrypted password * @return string encrypted password
*/ */
public static function makeCryptPassword($password, $htpasswd = false, $openssl = false) public static function makeCryptPassword(string $password, bool $htpasswd = false, bool $ftpd = false)
{ {
if ($htpasswd || $openssl) { if ($htpasswd || $ftpd) {
if ($htpasswd && $openssl) { if ($ftpd) {
// sha1 compatible for pure-ftpd (not encoded) // sha256 compatible for proftpd and pure-ftpd
return sha1($password); return crypt($password, '$5$' . self::generatePassword(16, true) . '$');
} }
// sha1 hash for either dir-protection or (if openssl=1) for proftpd // sha1 hash for dir-protection
return '{SHA' . ($openssl ? '1' : '') . '}' . base64_encode(sha1($password, true)); return '{SHA}' . base64_encode(sha1($password, true));
} }
// crypt using the specified crypt-algorithm or system default // crypt using the specified crypt-algorithm or system default
$algo = Settings::Get('system.passwordcryptfunc') !== null ? Settings::Get('system.passwordcryptfunc') : PASSWORD_DEFAULT; $algo = Settings::Get('system.passwordcryptfunc') !== null ? Settings::Get('system.passwordcryptfunc') : PASSWORD_DEFAULT;

2
lib/configfiles/bionic.xml
View File

@@ -4459,7 +4459,7 @@ MYSQLCrypt any
# Query to execute in order to fetch the password # Query to execute in order to fetch the password
MYSQLGetPW SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
# Query to execute in order to fetch the system user name or uid # Query to execute in order to fetch the system user name or uid

2
lib/configfiles/bookworm.xml
View File

@@ -3098,7 +3098,7 @@ MYSQLCrypt any
# Query to execute in order to fetch the password # Query to execute in order to fetch the password
MYSQLGetPW SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
# Query to execute in order to fetch the system user name or uid # Query to execute in order to fetch the system user name or uid

2
lib/configfiles/bullseye.xml
View File

@@ -4670,7 +4670,7 @@ MYSQLCrypt any
# Query to execute in order to fetch the password # Query to execute in order to fetch the password
MYSQLGetPW SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
# Query to execute in order to fetch the system user name or uid # Query to execute in order to fetch the system user name or uid

2
lib/configfiles/buster.xml
View File

@@ -4661,7 +4661,7 @@ MYSQLCrypt any
# Query to execute in order to fetch the password # Query to execute in order to fetch the password
MYSQLGetPW SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
# Query to execute in order to fetch the system user name or uid # Query to execute in order to fetch the system user name or uid

2
lib/configfiles/focal.xml
View File

@@ -3876,7 +3876,7 @@ MYSQLCrypt any
# Query to execute in order to fetch the password # Query to execute in order to fetch the password
MYSQLGetPW SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
# Query to execute in order to fetch the system user name or uid # Query to execute in order to fetch the system user name or uid

2
lib/configfiles/gentoo.xml
View File

@@ -3577,7 +3577,7 @@ MYSQLUser <SQL_UNPRIVILEGED_USER>
MYSQLPassword <SQL_UNPRIVILEGED_PASSWORD> MYSQLPassword <SQL_UNPRIVILEGED_PASSWORD>
MYSQLDatabase <SQL_DB> MYSQLDatabase <SQL_DB>
MYSQLCrypt any MYSQLCrypt any
MYSQLGetPW SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
MYSQLGetUID SELECT uid FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetUID SELECT uid FROM ftp_users WHERE username="\L" AND login_enabled="y"
MYSQLGetGID SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetGID SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled="y"
MYSQLGetDir SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetDir SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y"

2
lib/configfiles/jammy.xml
View File

@@ -3876,7 +3876,7 @@ MYSQLCrypt any
# Query to execute in order to fetch the password # Query to execute in order to fetch the password
MYSQLGetPW SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y" MYSQLGetPW SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
# Query to execute in order to fetch the system user name or uid # Query to execute in order to fetch the system user name or uid